Philadelphia Ransomware

Philadelphia Ransomware is one malicious program that can cause major damage to your computer. It is set to infect your computer though fake emails and encrypt a preset selection of file types. You must remove this program in order to continue using our computer because while this application is present — you cannot do that. Its creator known as Rainmaker sells it to would-be cyber criminals and they can customize it and set up the distribution campaign. Hence, this ransomware is a Ransomware as a Service-type application, meaning that anyone with the right connections can get their hands on it. Philadelphia Ransomware has been wreaking havoc lately, infecting thousands of computers worldwide and it is time put a stop to it.

This particular ransomware has some unique features that ransomware typically does not poses. However, those features are also a handicap in the long run and might help you get your files back. Its developer claims that whoever purchases this program for 400 USD will be able to set folders where the ransomware will look for files, the extensions to be encrypted, define the intervals at which a selected number of files will be deleted if the payment is not made, edit the UAC (user access control), edit interface texts and multiple language support, enable or disable USB infect, network spread, and so on.

This ransomware has a rather primitive-looking, but nonetheless effective Graphical User Interface that can show the list of infected users and their countries of origin. The developer has even included a “Give Mercy” button that can be used to decrypt the files for free. However, this application has some serious flaws such as being written in the AutoIT scripting language that can be decompiled and analyzed for flaws in the design that might help break its encryption, but a free encryption key has yet to be created. Furthermore, to set up this ransomware’s campaign, a person that buys it needs to install PHP scripts known as Bridges on a server. The Bridges are configured to be connected to this ransomware, and their purpose is to store the encryption key and information about the victim and payment information. The one controlling this ransomware has to run Philadelphia Ransomware’s client called Philadelphia Headquarters on their computer which would connect to each configured bridge and download the victim data. However, there is a fundamental problem with this design because unless the bridges are set up on TOR networks, they will get taken down and once a bridge is taken down a victim will be unable to pay the ransom or decrypt the files.

Philadelphia Ransomware is set to ask its victims to pay 0.3 BTC, an approximate 180 USD to decrypt the files. If a bridge that is hard coded into the ransomware is taken down, then there is no use paying the ransom because your files will not be decrypted because this ransomware uses an autodecrypt function that kicks in one the payment has been made. So there is no “contact me to decrypt the files” nonsense that is so widely used by most ransomware developers.

We have received information claiming that Philadelphia Ransomware is distributed using phishing emails. The emails are made to look as if they have been sent from the Brazil’s Ministry of Finance, and the email implies that it is overdue payment notice. The emails contain a link to a bridge that contains a Java-based program that automatically downloads and executes this ransomware's installer. Once on your computer, this ransomware will immediately start encrypting the files and append them with the .locked extension.

That is all of the information we currently have at the moment. The good news is that it has serious flaws in its design that will be the end of it sooner or later. So, we suggest that you delete this ransomware using the manual removal guide below or an anti-malware program such as SpyHunter and search the web for a free decryption tool if you have important files you need to be decrypted. We do not recommend paying the ransom as you would be financing the creation of new, more sophisticated ransomware.

How to delete this ransomware

Press Windows+E keys.

In the address box, type C:\Users\[user name]\AppData\Roaming in the address bar.

Find lsas.exe, right-click it and click Delete.

Close the File Explorer window.

How to delete the registry string

Press Windows+R keys.

Go to HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Find a string named Windows Update with Value data of %UserProfile%\Isass.exe